v0.19.0

CHANGES.rst

@@ -3,6 +3,27 @@ Change log
 
 .. note:: **Upgrade notes**: after upgrading, run the ``arouteserver setup-templates`` command to sync the local templates with those distributed with the new version. More details on the `Upgrading <https://arouteserver.readthedocs.io/en/latest/INSTALLATION.html#upgrading>`__ section of the documentation.
 
+v0.19.0
+-------
+
+This is the last release of ARouteServer for which OpenBGPD/OpenBSD 6.0 CI tests are ran. Starting with the next release, any new feature will not be tested against version 6.0 of OpenBGPD. Users are encouraged to move to newer releases.
+
+- New: use NIC.BR Whois data from Registro.br to enrich the dataset used for route validation.
+
+  Details: `RIPE76, Practical Data Sources For BGP Routing Security <https://ripe76.ripe.net/presentations/43-RIPE76_IRR101_Job_Snijders.pdf>`_.
+
+  Related: `issue #28 on GitHub <https://github.com/pierky/arouteserver/issues/28>`_.
+
+- New: introduce support for OpenBGPD/OpenBSD 6.4.
+
+  OpenBSD 6.4 is not released yet, this is just in preparation of it.
+
+  Related: `issue #31 on GitHub <https://github.com/pierky/arouteserver/issues/31>`_.
+
+- Fix (minor): RIPE NCC RPKI Validator v3 expects ``Accept: text/json`` as HTTP header.
+
+  Related: `PR #29 on GitHub <https://github.com/pierky/arouteserver/issues/29>`_.
+
 v0.18.0
 -------
 

README.rst

@@ -76,6 +76,7 @@ Features
 
     - RPKI **ROAs used as route objects**;
     - `Origin AS <https://mailman.nanog.org/pipermail/nanog/2017-December/093525.html>`_ from **ARIN Whois** database dump;
+    - `NIC.BR Whois data <https://ripe76.ripe.net/presentations/43-RIPE76_IRR101_Job_Snijders.pdf>`_ (slide n. 26) from Registro.br;
 
   - **RPKI**-based filtering (BGP Prefix Origin Validation).
 

config.d/general.yml

@@ -214,6 +214,7 @@ cfg:
       # - '[origin|prefix]_(not_)present_in_as_set'
       # - 'prefix_validated_via_rpki_roas'
       # - 'prefix_validated_via_arin_whois_db_dump'
+      # - 'prefix_validated_via_registrobr_whois_db_dump'
       # - 'route_validated_via_white_list' (only for routes validated
       #   solely because of a client-level 'white_list_route' entry)
       #
@@ -301,6 +302,33 @@ cfg:
         # Default: URL of the dump parsed and published by NLNOG.
         source: "http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2"
 
+      use_registrobr_bulk_whois_data:
+        # Similarly to the 'use_arin_bulk_whois_data' option,
+        # this one allows to back IRR filters up by using "Registro.br"
+        # data from the NIC.BR Whois database.
+        # In this case, if 'tag_as_set' is True, these routes
+        # are tagged with the
+        # 'prefix_validated_via_registrobr_whois_db_dump' community.
+        #
+        # The setting of the 'allow_longer_prefixes' option will be
+        # honored.
+
+        # Set this to True to enable this feature.
+        #
+        # Default: False
+        enabled: False
+
+        # The source of the data must be set here.
+        #
+        # It can be an 'http://', 'https://', 'ftp://' URL or a local
+        # file path. The file must be in CSV format, with '|' as a
+        # field separator, accordingly to the following schema:
+        #
+        # ASxxx|Organization|OrgID|w.x.y.z/l|a:b:c:d::/l|...
+        #
+        # Default: URL of the dump published by Registro.br.
+        source: "ftp://ftp.registro.br/pub/numeracao/origin/nicbr-asn-blk-latest.txt"
+
     rpki_bgp_origin_validation:
       # Enable BGP Prefix Origin Validation for routes received from
       # clients.
@@ -690,6 +718,10 @@ cfg:
       #std:
       #lrg:
       #ext:
+    prefix_validated_via_registrobr_whois_db_dump:
+      #std:
+      #lrg:
+      #ext:
     route_validated_via_white_list:
       #std:
       #lrg:

docs/EXAMPLES.rst

@@ -20,7 +20,7 @@ Configurations built using the files provided in the ``examples/rich`` directory
 - GTSM and ADD-PATH are enabled by default on the route server.
 - Next-hop filtering allows clients to set NEXT_HOP of any client in the same AS.
 - Local networks are filtered, and also transit-free ASNs, invalid paths and prefixes/origin ASNs which are not authorized by clients' AS-SETs.
-- Dataset used for prefix validation extended using ARIN Whois DB dump and RPKI ROAs.
+- Dataset used for prefix validation extended using ARIN and NIC.BR Whois DB dump and RPKI ROAs.
 - RPKI-based Origin Validation is enabled; INVALID routes are rejected.
 - A max-prefix limit is enforced on the basis of PeeringDB information.
 - Blackhole filtering is implemented with a rewrite-next-hop policy and can be triggered with BGP communities BLACKHOLE, 65534:0 and 999:666:0.
@@ -145,6 +145,8 @@ A list of BGP communities is also automatically built.
    configured.
     - RPKI ROAs are used as if they were route objects to further enrich IRR data.
     - ARIN Whois database dump is fetched from NLNOG to further enrich IRR data.
+    - NIC.BR Whois database dump is fetched from Registro.br to further enrich IRR
+   data.
     - PeeringDB is used to fetch networks prefix count.
     - Routes tagged with the GRACEFUL_SHUTDOWN well-known community (65535:0) are
    processed accordingly to draft-ietf-grow-bgp-gshut.

docs/FEATURES.rst

@@ -66,6 +66,7 @@ Features
 
     - RPKI **ROAs used as route objects**;
     - `Origin AS <https://mailman.nanog.org/pipermail/nanog/2017-December/093525.html>`_ from **ARIN Whois** database dump;
+    - `NIC.BR Whois data <https://ripe76.ripe.net/presentations/43-RIPE76_IRR101_Job_Snijders.pdf>`_ (slide n. 26) from Registro.br;
 
   - **RPKI**-based filtering (BGP Prefix Origin Validation).
 

docs/GENERAL.rst

@@ -405,6 +405,9 @@ https://arouteserver.readthedocs.io/en/latest/CONFIG.html
   - **prefix_validated_via_arin_whois_db_dump**
 
 
+  - **prefix_validated_via_registrobr_whois_db_dump**
+
+
   - **route_validated_via_white_list** (only for routes validated
     solely because of a client-level **white_list_route** entry)
 
@@ -548,6 +551,56 @@ https://arouteserver.readthedocs.io/en/latest/CONFIG.html
 
 
 
+- ``use_registrobr_bulk_whois_data``:
+  Similarly to the **use_arin_bulk_whois_data** option,
+  this one allows to back IRR filters up by using "Registro.br"
+  data from the NIC.BR Whois database.
+  In this case, if **tag_as_set** is True, these routes
+  are tagged with the
+  **prefix_validated_via_registrobr_whois_db_dump** community.
+
+
+  The setting of the **allow_longer_prefixes** option will be
+  honored.
+
+
+- ``enabled``:
+  Set this to True to enable this feature.
+
+
+  Default: **False**
+
+  Example:
+
+  .. code:: yaml
+
+     enabled: False
+
+
+
+- ``source``:
+  The source of the data must be set here.
+
+
+  It can be an **http://**, **https://**, **ftp://** URL or a local
+  file path. The file must be in CSV format, with **|** as a
+  field separator, accordingly to the following schema:
+
+
+  ASxxx|Organization|OrgID|w.x.y.z/l|a:b:c:d::/l|...
+
+
+  Default: **URL of the dump published by Registro.br.**
+
+  Example:
+
+  .. code:: yaml
+
+     source: "ftp://ftp.registro.br/pub/numeracao/origin/nicbr-asn-blk-latest.txt"
+
+
+
+
 
 RPKI BGP Origin Validation: ``rpki_bgp_origin_validation``
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -1165,7 +1218,7 @@ matching.
 Prefix/origin AS present in client's AS-SET
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 
-- ``prefix_present_in_as_set``, ``prefix_not_present_in_as_set``, ``origin_present_in_as_set``, ``origin_not_present_in_as_set``, ``prefix_validated_via_rpki_roas``, ``prefix_validated_via_arin_whois_db_dump`` and ``route_validated_via_white_list``:
+- ``prefix_present_in_as_set``, ``prefix_not_present_in_as_set``, ``origin_present_in_as_set``, ``origin_not_present_in_as_set``, ``prefix_validated_via_rpki_roas``, ``prefix_validated_via_arin_whois_db_dump``, ``prefix_validated_via_registrobr_whois_db_dump`` and ``route_validated_via_white_list``:
   Prefix/origin AS present in client's AS-SET.
 
 

docs/_static/examples_auto-config_bird-general.yml.html

@@ -91,6 +91,10 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 
 <li><p>Database is fetched from <a href="http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2" rel="noopener">http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2</a>.</p></li>
 
+<li><p>Use <strong>NIC.BR Whois DB dump</strong> to validate routes whose origin ASN is authorized by the client's AS-SET but whose prefix is not.</p></li>
+
+<li><p>Database is fetched from ftp://ftp.registro.br/pub/numeracao/origin/nicbr-asn-blk-latest.txt.</p></li>
+
 <li><p>
 Route <strong>validity state</strong> is signalled to route server clients using the following <strong>BGP communities</strong>:
 <table class="table">
@@ -139,6 +143,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
   </tr>
 
 
+
     <tr>
     <td>Route authorized soley because of a client white list entry</td>
     <td>64512:41</td>
@@ -273,6 +278,11 @@ <h3>Rejected prefixes</h3>
       <td>any more specific prefix</td>
       <td>RFC 5737 - TEST-NET-1</td>
     </tr>
+    <tr>
+      <td>192.88.99.0/24</td>
+      <td>any more specific prefix</td>
+      <td>RFC 3068 - 6to4 prefix</td>
+    </tr>
     <tr>
       <td>192.168.0.0/16</td>
       <td>any more specific prefix</td>

docs/_static/examples_auto-config_openbgpd62-general.yml.html

@@ -91,6 +91,10 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 
 <li><p>Database is fetched from <a href="http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2" rel="noopener">http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2</a>.</p></li>
 
+<li><p>Use <strong>NIC.BR Whois DB dump</strong> to validate routes whose origin ASN is authorized by the client's AS-SET but whose prefix is not.</p></li>
+
+<li><p>Database is fetched from ftp://ftp.registro.br/pub/numeracao/origin/nicbr-asn-blk-latest.txt.</p></li>
+
 <li><p>
 Route <strong>validity state</strong> is signalled to route server clients using the following <strong>BGP communities</strong>:
 <table class="table">
@@ -139,6 +143,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
   </tr>
 
 
+
     <tr>
     <td>Route authorized soley because of a client white list entry</td>
     <td>64512:41</td>
@@ -273,6 +278,11 @@ <h3>Rejected prefixes</h3>
       <td>any more specific prefix</td>
       <td>RFC 5737 - TEST-NET-1</td>
     </tr>
+    <tr>
+      <td>192.88.99.0/24</td>
+      <td>any more specific prefix</td>
+      <td>RFC 3068 - 6to4 prefix</td>
+    </tr>
     <tr>
       <td>192.168.0.0/16</td>
       <td>any more specific prefix</td>

docs/_static/examples_default.html

@@ -78,6 +78,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 
 
 
+
 </ul>
 
 

docs/_static/examples_rich.html

@@ -92,6 +92,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 
 <li><p>Database is fetched from <a href="http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2" rel="noopener">http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2</a>.</p></li>
 
+
 <li><p>
 Route <strong>validity state</strong> is signalled to route server clients using the following <strong>BGP communities</strong>:
 <table class="table">
@@ -134,6 +135,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
     <td>999:65530:4</td>
   </tr>
 
+
     <tr>
     <td>Route authorized soley because of a client white list entry</td>
     <td>65530:3</td>
@@ -269,6 +271,11 @@ <h3>Rejected prefixes</h3>
       <td>any more specific prefix</td>
       <td>RFC 5737 - TEST-NET-1</td>
     </tr>
+    <tr>
+      <td>192.88.99.0/24</td>
+      <td>any more specific prefix</td>
+      <td>RFC 3068 - 6to4 prefix</td>
+    </tr>
     <tr>
       <td>192.168.0.0/16</td>
       <td>any more specific prefix</td>

docs/_static/tests_real_general.html

@@ -91,6 +91,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 
 <li><p>Database is fetched from <a href="http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2" rel="noopener">http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2</a>.</p></li>
 
+
 <li><p>
 Route <strong>validity state</strong> is signalled to route server clients using the following <strong>BGP communities</strong>:
 <table class="table">
@@ -121,6 +122,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 
 
 
+
 
 </tbody>
 </table>
@@ -250,6 +252,11 @@ <h3>Rejected prefixes</h3>
       <td>any more specific prefix</td>
       <td>RFC 5737 - TEST-NET-1</td>
     </tr>
+    <tr>
+      <td>192.88.99.0/24</td>
+      <td>any more specific prefix</td>
+      <td>RFC 3068 - 6to4 prefix</td>
+    </tr>
     <tr>
       <td>192.168.0.0/16</td>
       <td>any more specific prefix</td>

examples/auto-config/README.rst

@@ -56,6 +56,8 @@ A list of BGP communities is also automatically built.
    configured.
     - RPKI ROAs are used as if they were route objects to further enrich IRR data.
     - ARIN Whois database dump is fetched from NLNOG to further enrich IRR data.
+    - NIC.BR Whois database dump is fetched from Registro.br to further enrich IRR
+   data.
     - PeeringDB is used to fetch networks prefix count.
     - Routes tagged with the GRACEFUL_SHUTDOWN well-known community (65535:0) are
    processed accordingly to draft-ietf-grow-bgp-gshut.

examples/auto-config/bird-general.yml

@@ -49,6 +49,8 @@ cfg:
         enabled: true
       use_arin_bulk_whois_data:
         enabled: true
+      use_registrobr_bulk_whois_data:
+        enabled: true
     max_prefix:
       action: shutdown
       peering_db:

examples/auto-config/bird-general.yml.html

@@ -91,6 +91,10 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
 
 <li><p>Database is fetched from <a href="http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2" rel="noopener">http://irrexplorer.nlnog.net/static/dumps/arin-whois-originas.json.bz2</a>.</p></li>
 
+<li><p>Use <strong>NIC.BR Whois DB dump</strong> to validate routes whose origin ASN is authorized by the client's AS-SET but whose prefix is not.</p></li>
+
+<li><p>Database is fetched from ftp://ftp.registro.br/pub/numeracao/origin/nicbr-asn-blk-latest.txt.</p></li>
+
 <li><p>
 Route <strong>validity state</strong> is signalled to route server clients using the following <strong>BGP communities</strong>:
 <table class="table">
@@ -139,6 +143,7 @@ <h3>IRRDBs prefix/origin ASN enforcement</h3>
   </tr>
 
 
+
     <tr>
     <td>Route authorized soley because of a client white list entry</td>
     <td>64512:41</td>
@@ -273,6 +278,11 @@ <h3>Rejected prefixes</h3>
       <td>any more specific prefix</td>
       <td>RFC 5737 - TEST-NET-1</td>
     </tr>
+    <tr>
+      <td>192.88.99.0/24</td>
+      <td>any more specific prefix</td>
+      <td>RFC 3068 - 6to4 prefix</td>
+    </tr>
     <tr>
       <td>192.168.0.0/16</td>
       <td>any more specific prefix</td>

examples/auto-config/openbgpd62-general.yml

@@ -50,6 +50,8 @@ cfg:
         enabled: true
       use_arin_bulk_whois_data:
         enabled: true
+      use_registrobr_bulk_whois_data:
+        enabled: true
     max_prefix:
       action: shutdown
       peering_db: